IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the kms:Decrypt or kms:ReEncryptFrom permissions and only for the keys that are required to perform a task.
Identities may be able to decrypt data which they should not have access to
Scope down the resources of the IAM policy to specific keys
The following example will fail the aws-iam-block-kms-policy-wildcard check.
The following example will pass the aws-iam-block-kms-policy-wildcard check.